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We define cheat sensitive cryptograpliic protocols between mistrustful parties as protocols which 
guarantee that, if either cheats, the other has some nonzero probability of detecting the cheating. We 
describe an unconditionally secure cheat sensitive non-relativistic bit commitment protocol which 
uses quantum information to implement a task which is classically impossible; we also describe a 
simple relativistic protocol. 
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The discovery of quantum cryptography Q and secure 
quantum key distributional has led to much interest in 
understanding precisely which cryptographic tasks can 
be guaranteed secure by physical principles. We pro- 
pose here a new class of cryptographic applications of 
quantum information: cheat sensitive protocols between 
mistrustful parties. Either party may be able to evade 
the intended constraints on information transfer by de- 
viating from these protocols. However, if they do, there 
is a non-zero probability that the other will detect their 
cheating. Cheat sensitivity is potentially useful in any 
situation where the parties, though mistrustful, have an 
ongoing relationship which they value more than the po- 
tential gains from a few successful cheating attempts. 

We consider here cheat sensitive protocols for bit com- 
mitment (BC), an important cryptographic primitive 
whose potential for physically secure implementation has 
been extensively investigated '3', *?, U Sll 113 IH 
0,^^. We first introduce BC and briefly review what is 
currently known about physical implementations. 

Suppose A and B are in two different places and can 
send classical messages or quantum states to one another. 
In a classical BC protocol, A commits herself by giving 
B information corresponding to an encryption of a bit 
(either or 1), in such a way that she can later decrypt 
or unveil it for him if she chooses. It should be hard 
(ideally, impossible) for A to change the bit or for B to 
obtain any information about the bit unless and until A 
chooses to unveil it for him. One possible implementation 
is for A to write the bit down on a piece of paper which 
she locks in a safe, and then send the locked safe to B. 
To unveil the bit later, she sends B the key to the safe. 
One weakness of this method is that B might be able to 
open the safe unaided, for example by picking the lock, 
or view its contents without opening it, for example by 
magnetic resonance imaging. 

In general, the commitment and unveiling follow a 
prescribed protocol of information exchanges. We dis- 
tinguish quantum protocols, which allow the exchange 
of quantum information, from classical protocols, which 
do not. We also distinguish relativistic protocols, which 



assume the validity of special relativity and rely on 
the impossibility of superluminal signalling, from non- 
relativistic protocols, which do not. A BC protocol is 
secure, modulo certain assumptions, if it includes a pa- 
rameter which can be adjusted so that the probabilities 
of A being able to unveil a state significantly different 
from the committed state and of B being able to extract 
significant information can simultaneously be made arbi- 
trarily small. It is unconditionally secure within a given 
physical theory if the only assumption necessary is the 
validity of that theory. (Formal security definitions can 
be found in, e.g., Refs. |EE3|-) 

Sever al q uantum BC schemes have been proposed 
0, 0, 0i These schemes presently offer good prac- 
tical security, but in principle are insecure. Indeed, Lo- 
Chaud Q and MayersUB showed that no non- 
relativistic quantum BC schemes can be perfectly secure 
against both parties. Mayers 0, 0, extended this to 
prove the impossibility of unconditionally secure non- 
relativistic quantum BC and to cover models in which 
classical and quantum information are treated separately. 
Unconditionally secure classical relativistic BC protocols 
exist [Til fl^ . It is conjectured that these protocols are 
also secure against quantum attack. 

The essential weakness in non-relativistic quantum BC 
protocols highlighted by Lo-Chau and Mayers is that, 
whenever B can extract no (or little) information about 
the committed bit, A can (or very probably can) unde- 
tectably alter the commitment from to 1 or vice versa. 

A separate issue in quantum protocols is that A may 
commit an improper mixture of bit states [lol IT^ . in 
which the committed bit is entangled with another state. 
This is not advantageous when BCs are used in isolation 
— for example, to record a secret prediction — but can 
be when they are used as subprotocols for a larger task. 
A BC protocol which forces A to commit a fixed clas- 
sical bit, or 1, is said to implement bit commitment 
with a certificate of classicality (BCCC). Secure BCCC 
protocols based on reasonable quantum computational 
complexity assumptions might be possible |lJi llSl; but 
no unconditionally secure BCCC protocols exist [l3l|. 
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Relativistic BC schemes [Til IT^ offer the prospect of 
practical unconditional security. However, they require 
the maintenance of separated sites and the continual use 
of communication channels between commitment and un- 
veiling. For some applications these constraints may be 
serious disadvantages. Hence, as unconditionally secure 
non-relativistic BC is impossible, it is interesting to ex- 
plore what can be achieved by non-relativistic protocols. 
We show here that cheat sensitive BC can be imple- 
mented non-relativistically. We also give a simple rel- 
ativistic cheat sensitive BC protocol. 

Defining cheat sensitivity A cheat sensitive quan- 
tum BC protocol is a quantum BC protocol in which, as- 
suming that the commitment will eventually be unveiled, 
A cannot alter the probabilities of her revealing a or 
1 after the commitment without risking detection and B 
cannot extract information about the committed bit be- 
fore the unveiling without risking detection. Note that 
by this definition the detection probabilities only need be 
nonzero to imply cheat sensitivity. 

Protocols If a BC is encoded by non-orthogonal 
quantum states, B cannot extract information without 
disturbing the states. This means he risks detection if 
he later has to return the committed state. At the same 
time, A risks detection if she sends one state and later 
tries to claim that she sent the other. This suggests a 
strategy for cheat sensitive BC. The problem is to arrange 
for both parties to be simultaneously at risk of cheat 
detection. Standard quantum BC methods do not work 
here. For example, a protocol can not be cheat sensitive 
if A tells B at revelation what the committed state was, 
since B can then return a copy even if he has disturbed 
the original. As we shall show, there are ways around 
this difficulty. 

We now describe two cheat sensitive quantum BC pro- 
tocols. We take |0), |1) as orthonormal qubit states and 
write |±) = ^(|0)±|1)). 

Protocol 1: non-relativistic CSBC 

Stage 0: the prelude. B prepares a singlet state, 
\-^-)ab = -^{\0)a\1)b - |1)a|0)b), and sends qubit A 
to A. At certain stages of the protocol either party may 
"challenge" this singlet. This means that the other party 
must send a qubit which is supposed to be their half of 
the singlet to the challenger, who can then check that the 
two qubit state is indeed a singlet by measuring the rel- 
evant projection. If not, there is a non-zero probability 
it will fail the test. 

Stage 1: the commitment. The protocol allows a simple 
commitment procedure which A may use if she wishes 
to commit to a definite classical bit: to commit to 0, 
she prepares a qubit C chosen randomly to be either |0) 
or |— ), each with probability 1/2; to commit to 1, she 
similarly prepares either |1) or |+). Then she sends the 
C qubit to B. 

As usual in quantum BC protocols, A is allowed a more 
general non-classical commitment, in which she instead 
prepares a state \^p) = J2r=o i -i- - \'^r)A\r)c, where the 
unnormalised states \ar) are orthogonal, keeps the \)a 



system under her control, and sends the |C) qubit to B. 
We will show later that the probabilities for her unveiling 
the classical bit are fixed by such a commitment, in the 
sense that they cannot subsequently be altered without 
cheating and risking detection. 

Stage 2: the unveiling. A is first given the option of 
challenging the singlet. If she does and it fails the test, 
she has detected cheating. Next, whether or not she made 
a challenge, she must reveal the value of the committed 
classical bit (but not the qubit used to encode it) . B then 
has the option of challenging the singlet, if A did not. If 
he does and it fails the test, he has detected cheating. 

Stage 3: the game. If either party earlier challenged 
the singlet, they automatically lose the game. If neither 
challenged the singlet, they now each measure their sin- 
glet qubit in the |0), |1) basis. B sends his result to A. 
If hers is not opposite, she has detected cheating. If B 
reports the result 1 then A loses the game; if then B 
loses. 

If A loses she must reveal which state was used to en- 
code the committed bit in the qubit C . B then measures 
C to check it is in the state A claims. If not, he has 
detected cheating. 

If B loses he must return the qubit C to A. She makes a 
measurement to check it is still in the state she originally 
prepared. If not, she has detected cheating. 

This completes the protocol. Note that the cheating 
tests detect only that someone - possibly the party car- 
rying out the test - has cheated. The ambiguity here is 
not a worry since, as usual in mistrustful cryptography, 
the protocol is designed to protect honest parties against 
cheats, not necessarily to protect one cheat against an- 
other. 

A party might choose to terminate early if they de- 
tect the other cheating. However, we have not stipulated 
this, since they might choose to continue if that seems 
advantageous. 

Proof of cheat- sensitivity: The security proof re- 
lies on the following facts: 1) B cannot send anything 
other than a half-singlet without risking failing a singlet 
challenge. 2) If A or B carry out any non-trivial measure- 
ment on the singlet they risk failing a singlet challenge. 
If A preemptively makes her own challenge to avoid be- 
ing challenged, she ensures she will lose the game, and 
this forces her to make an honest commitment and un- 
veiling. 3) When A and B can no longer be challenged, 
they cannot advantageously use their singlet qubit in any 
quantum information processing. 

As we will show, these facts imply that the singlet can 
be effectively factored out from the rest of the protocol 
and merely acts to provide a random "loser" in the game. 
Neither party can be certain they will not lose the game. 
This prevents them from cheating: A may have to tell 
B what state the qubit C is in when this qubit is in B's 
hands, and B may have to return the qubit C to A in its 
original state. 

Clearly, at any stage, A and B can apply a reversible 
local unitary operation to the quantum states under their 
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control without fear of detection. We take this as under- 
stood below, rather than repeating the phrase "up to a 
local unitary operation" at each stage, since applying a 
local unitary does not per se gain a cheat anything. 

To begin the proof, note that B must prepare a singlet 
and send half of it to A, since A may challenge the singlet. 
The following lemma shows that once A and B share the 
singlet neither of them can carry out nontrivial quantum 
operations on it. 

Lemma 1. Suppose that A and B share a state 
where e H^® Hi and e 

® so that A's subsystem lies in Ha^HI® H'^ 
and B's in Hg = Hi ® H^. Here H^ and H^ denote d- 
dimensional quantum systems initially under A's and B's 
control respectively. Suppose A applies a quantum mea- 
surement, defined by Kraus operators Ei corresponding 
to outcomes i, on Ha and then returns the Hi qubit to 
B. If it is the case that, for all values of the measurement 
outcome i, B now possesses the singlet |^~) in Hl^Hl, 
then the Kraus operators Ei must take the form I ® E'^, 
where the E'^ define Kraus operators for a quantum op- 
eration on H^. 

Proof. E, (g) /s|*">Ab|V')aB = \'i'^)AB\A)AB- 

As E, (g) lB\0)a\l)b\'4')AB = \0)a\l)b\i'z)AB and E, ® 
/s|l)a|0)b|V')AB = \l)a\0)b\^i)AB, linearity implies that 
Ei acts as the identity on Hi. QED. 

This implies that, unless A challenges the singlet her- 
self before revealing her classical bit, any strategy by 
which she generates the classical bit value sent to B can- 
not involve nontrivial operations on her singlet qubit. 
Similarly, any strategy by which B extracts classical in- 
formation before A's unveiling cannot involve non-trivial 
operations on his singlet qubit. 

Now consider an honest A and dishonest B. For B 
to cheat successfully, he must extract some information 
about the committed bit before the unveiling. We have 
established that he cannot perform any operations on his 
singlet qubit before the classical bit is unveiled. Thus he 
must restrict his attention to qubit C up to this point. B 
would like to know, before the unveiling begins, whether 
the committed state is |0) or |— ) corresponding to a or 
|1) or \+) corresponding to a 1. The most general way 
he can extract information is to introduce an ancilla |P), 
apply a unitary operation Ui, and then measure part of 
the system, creating the state 

Ui\P)\r)c=Y.''r\^)K) (1) 

i 

where r = 0,1,-1-,—. B measures onto the states |i) 
(which are orthonormal) . For outcome i he will possess 
the state |?7*). When A declares the committed bit in 
step 1 of the unveiling B will know he has one of two 
states. However, there is no deterministic algorithm for 
decreasing the overlap between two states. 

We first assume B makes no nontrivial use of his singlet 
qubit after A's unveiling, B must thus ensure that 

\Wo\v'^)\<m-)\ and |(ryih;)|<|(l|+>| (2) 



so he can send the correct state to A in stage 3 if he loses 
the game. We will now see that under these conditions 
B can extract no information about the commitment be- 
fore unveiling. Consider applying the controlled unitary 
operator C/2 = | «) («| «) f/* to the RHS of ijlj, where 

C/^K) = |0), WW_) = a^\0) ^ b^\l) , 

and without loss of generality (redefining I77L) by a phase 
factor if necessary) we take a' and 6* to be real and 
positive. From Q it follows that a* < ^ < 6*. Let 
U = U2Ui. We have 

C/|0|0> = (E^oN>)|0) (3) 

i 

u\P)\-) - (e.c^«'K))|o) - {E^c^m)\l)■ 

However, we also have 

^1^)1-) = f^72l^)(|0) - = 72(E^oN>)|0> + |±) 

i 

(4) 

where |_L) is orthogonal to the first term on the RHS 
of Q. We can put |_L) = a\A)\0) + (3\B)\l) where 
+ = ^- Comparing (0) and Q we obtain 
\P? = i^\c-b'\^ < I < EJcLa^p. Since a' < b\ 
this implies that a* — — ^ fo'" * f^^' which cL ^ 0. 
Hence, comparing (PJ and (and since we now have 
a = 0) we obtain = Cq for all i. Also, 

[/|P>|l>^C/|P)(|0)-^/2|-)) (5) 
= E.cj,K)(|0)-V2|-» = E.c^oN>|l> 

Hence, \c\ \ — |cq| for all i, and similarly |c!)_| — \c''_ \ for all 
i. Thus the probability of a given outcome i cannot de- 
pend on the bit committed, and so no information about 
that bit can be extracted without B risking detection. 

Now we need to exclude the possibility of B cheating 
without risk of detection by extracting classical informa- 
tion from A's commitment qubit and then carrying out 
some nontrivial operation on that qubit and his singlet 
qubit between the unveiling and the game. The most 
general state A and B may share just after unveiling is 
\'^~)AB{\ai)A\tpi)B + \a2)A\ip2)B), where the first state 
is the as yet undisturbed singlet and the second is a state 
entangling two of A's orthogonal control states \ai) with 
two normalised states \ipi) resulting from B's actions on 
the two states (say |0), |— )) corresponding to A's unveil- 
ing c-bit. If B has extracted useful information, we have 
|( V'l I ^^2 ) I > |( I — ) I . -B must now generate a bit to tell 
A whether or not he will challenge, and without loss of 
generality we can assume he does so by applying a local 
unitary operation to create a qubit |)c which is sent to A, 
where |0)c and |l)c declare respectively no challenge and 
a challenge. Considering the constraints on B implied by 
the protocol, given that he wishes to avoid any risk of 
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cheating detectably, we see the unitary operation must 
implement a map of the form: 

\'^')ABi\ai)A\^l)B + \a2)A\lp2)B)\*o)c ^ (6) 
\^l)AB{\ai)A\0)B + \a2)A\-)B)\l)c 
+ |0)a|1)b|*2)ab|0)c 
+ |l)^|0)B(|ai)A|0)B + |a2)A|-)B)|0)c , 

where are unspecified states. Considering the com- 
ponents of |l)^|Q;i)yi in this equation, we see that in par- 
ticular the unitary operation must deterministically map 
states with overlap | ( V'l I ^^2 ) | to states with overlap no 
greater than |(0 | — )|. That is, it must deterministically 
decrease the overlap, which is impossible. 

Now consider an honest B and a dishonest A. The 
most general thing A can do initially is entangle the 
qubit C with some ancilla A which she keeps. Then the 
entangled state she prepares can be written as \ip) — 
J2r=o 1 + - \c''r)A\r)c- The states \ar)A need not be nor- 
malized, nor do we impose at this stage that they are 
orthogonal. Further, since the states \r) form an over- 
complete basis, the states \ar) need not be unique. We 
will show that, if A is to be certain of not being caught 
cheating, then there must be some way of writing the ex- 
pansion above such that states \ar) are indeed orthogonal 
(if they have non-zero norm). To see this consider what 
happens at the unveiling stage. A must announce the 
committed classical bit to B. The most general thing 
she can do is perform a unitary operation on A of the 
form 

\ar)A \MA'\k)A" (7) 

fe=0,l 

and measure on A" to extract a bit, fc = 0, 1, which she 
sends to B as the committed classical bit. At this stage A 
may have already challenged the singlet in which case she 
has lost the game and must tell B what the state of the 
qubit C is. Alternatively, she may not have challenged 
the singlet. Then B may challenge the singlet. If he 
declines he can immediately measure his singlet qubit in 
the |0), |1) basis. He may get a 1 in which case A loses 
the game and must tell B what the state of qubit C is. 
A's singlet qubit will, in this case, be collapsed into a 
definite pure state and, hence, is of no use to A in any 
cheat strategy. In the case where A gets fc = she must 
be able to collapse the qubit C onto either |0) or |— ) by 
making a measurement on A' and hence we must have 

J2 |/3.o)|r) = N|0) + 1^.^)1-) (8) 

where {u\u^) — and, similarly, for the fc = 1 case, we 
must have 

\f3ri)\r) = \vm + \v^)\-) (9) 

r=0,l, + ,- 

where {v\v-^) — 0. This means that we can write Ua ^ 
Tcm = |i)A|0)c + |2)A|-)c + |3)A|l)c + |4)A|+)c, where 



\i)A = \u)a'\0}a", etc., and Ua is the unitary operator 
mentioned above that A may apply at the unveiling stage. 
The states |i) are orthogonal. The probabilities that A 
declares a 0, 1 are given by 

Po-(i|i) + (2|2), pi = l-po, (10) 

As the states |i) are orthogonal, we have 

Po = Tr(pcCTc) - 5 , Pi = 1 - Po , (11) 

where pc = TrAdV'XV'l) and ac = |0)c(0|c + |-)c(-|c. 
Since these probabilities only depend on the reduced den- 
sity matrix of the qubit C which is in _B's hands, there 
is nothing A can do to alter them once she has sent this 
qubit to B at the commitment stage. Hence we see that, 
if she is to be certain of avoiding being detected cheating, 
she cannot alter the probabilities of declaring a or a 1. 

Protocol 2: relativistic CSBC We now describe a 
simple relativistic cheat sensitive BC protocol. A and B 
agree two non-orthogonal commitment states, \ipo) and 
IV'i), corresponding to commitments of and 1. A sends 
B the state corresponding to her commitment. When 
A is ready to unveil, she and B set up two extra sepa- 
rated sites, Ai and Bi relatively near the main sites A 
and B which they occupy, and A2 and B2 further away, 
with the separations such that d{A,B) w d{Ai,Bi) « 
^(^2,-82) << d{A,Ai) « d{A,A2). Each party can 
verify these separations by timin g th e receipt of mes- 
sages, so no trust is required here|l6j. A2 then reveals 
the committed bit to i?2. Before this information can 
reach A, B, Ai and Bi , these four carry out a relativistic 
coin tossing protocolflq. If they obtain a, 0, B returns 
the commitment state to A for testing; if a 1, B keeps it 
and tests it once B2 has informed him of A2^s revelation. 

Discussion Quantum information allows us to im- 
plement unconditionally secure cheat sensitive BC by 
relatively simple protocols, which will easily be imple- 
mentable when the technology for quantum state storage 
is developed. The mechanism for cheat sensitivity used 
in these protocols relies on the properties of quantum in- 
formation: classical information cannot be used in the 
same way, since A cannot be sure if B has extracted 
information from a classical message. It would be inter- 
esting to understand how to optimise the levels of cheat 
sensitivity against A and B, and to quantify the effect 
of noise (which would tend to make our protocols imper- 
fectly cheat sensitive). 

Finally, our results suggest the possibility of cheat sen- 
sitive implementations of other cryptographic tasks, such 
as non-relativistic quantum multi-party computation for 
general functions, for which unconditional security is not 
always attainable|l7). It would be interesting to under- 
stand precisely which tasks can be implemented with 
cheat sensitivity. 

After submitting the first version of this paper, we 
learned of independent work by Aharonov et al.|l8j. who 
define and implement a related weaker cryptographic 
task, quantum bit escrow. 
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